summaryrefslogtreecommitdiff
path: root/testing/tests
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2010-11-28 11:42:20 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2010-11-28 11:42:20 +0000
commitf73fba54dc8b30c6482e1e8abf15bbf455592fcd (patch)
treea449515607c5e51a5c703d7a9b1149c9e4a11560 /testing/tests
parentb8064f4099997a9e2179f3ad4ace605f5ccac3a1 (diff)
downloadvyos-strongswan-f73fba54dc8b30c6482e1e8abf15bbf455592fcd.tar.gz
vyos-strongswan-f73fba54dc8b30c6482e1e8abf15bbf455592fcd.zip
[svn-upgrade] new version strongswan (4.5.0)
Diffstat (limited to 'testing/tests')
-rwxr-xr-xtesting/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/gcrypt-ikev1/alg-camellia/test.conf4
-rwxr-xr-xtesting/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/gcrypt-ikev1/alg-serpent/test.conf4
-rwxr-xr-xtesting/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/gcrypt-ikev1/alg-twofish/test.conf4
-rw-r--r--testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/gcrypt-ikev2/alg-camellia/test.conf4
-rw-r--r--testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf2
-rwxr-xr-xtesting/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/alg-blowfish/test.conf4
-rwxr-xr-xtesting/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/alg-sha256-96/test.conf4
-rwxr-xr-xtesting/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/alg-sha256/test.conf4
-rwxr-xr-xtesting/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/alg-sha384/test.conf4
-rwxr-xr-xtesting/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/alg-sha512/test.conf4
-rwxr-xr-xtesting/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/compress/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/compress/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/compress/test.conf4
-rwxr-xr-xtesting/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/esp-ah-tunnel/test.conf4
-rw-r--r--testing/tests/ikev1/esp-alg-aes-ccm/test.conf4
-rw-r--r--testing/tests/ikev1/esp-alg-aes-ctr/test.conf4
-rw-r--r--testing/tests/ikev1/esp-alg-aes-gcm/test.conf4
-rw-r--r--testing/tests/ikev1/esp-alg-aes-gmac/test.conf4
-rwxr-xr-xtesting/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/esp-alg-aesxcbc/test.conf4
-rwxr-xr-xtesting/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/esp-alg-des/test.conf4
-rwxr-xr-xtesting/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/esp-alg-null/test.conf4
-rwxr-xr-xtesting/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/nat-two-rw-mark/description.txt16
-rw-r--r--testing/tests/ikev1/nat-two-rw-mark/evaltest.dat18
-rwxr-xr-xtesting/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf27
-rwxr-xr-xtesting/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf36
-rwxr-xr-xtesting/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown527
-rwxr-xr-xtesting/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf27
-rw-r--r--testing/tests/ikev1/nat-two-rw-mark/posttest.dat11
-rw-r--r--testing/tests/ikev1/nat-two-rw-mark/pretest.dat21
-rw-r--r--testing/tests/ikev1/nat-two-rw-mark/test.conf21
-rwxr-xr-xtesting/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/net2net-same-nets/description.txt15
-rw-r--r--testing/tests/ikev1/net2net-same-nets/evaltest.dat10
-rwxr-xr-xtesting/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf25
-rwxr-xr-xtesting/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf27
-rwxr-xr-xtesting/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown376
-rw-r--r--testing/tests/ikev1/net2net-same-nets/posttest.dat7
-rw-r--r--testing/tests/ikev1/net2net-same-nets/pretest.dat6
-rw-r--r--testing/tests/ikev1/net2net-same-nets/test.conf21
-rwxr-xr-xtesting/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/rw-mark-in-out/description.txt16
-rw-r--r--testing/tests/ikev1/rw-mark-in-out/evaltest.dat18
-rwxr-xr-xtesting/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables77
-rwxr-xr-xtesting/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf26
-rwxr-xr-xtesting/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf37
-rwxr-xr-xtesting/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown527
-rwxr-xr-xtesting/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables77
-rwxr-xr-xtesting/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf26
-rw-r--r--testing/tests/ikev1/rw-mark-in-out/posttest.dat12
-rw-r--r--testing/tests/ikev1/rw-mark-in-out/pretest.dat18
-rw-r--r--testing/tests/ikev1/rw-mark-in-out/test.conf21
-rwxr-xr-xtesting/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections1
-rwxr-xr-xtesting/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf4
-rw-r--r--testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat2
-rw-r--r--testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat2
-rwxr-xr-xtesting/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev2/alg-3des-md5/test.conf4
-rw-r--r--testing/tests/ikev2/alg-aes-ccm/description.txt4
-rw-r--r--testing/tests/ikev2/alg-aes-ccm/evaltest.dat (renamed from testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat)8
-rwxr-xr-xtesting/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf (renamed from testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf)2
-rw-r--r--testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf (renamed from testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf)2
-rwxr-xr-xtesting/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf (renamed from testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf)2
-rw-r--r--testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf (renamed from testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf)2
-rw-r--r--testing/tests/ikev2/alg-aes-ccm/posttest.dat (renamed from testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat)0
-rw-r--r--testing/tests/ikev2/alg-aes-ccm/pretest.dat (renamed from testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat)0
-rw-r--r--testing/tests/ikev2/alg-aes-ccm/test.conf (renamed from testing/tests/ikev2/esp-alg-aes-ccm/test.conf)0
-rw-r--r--testing/tests/ikev2/alg-aes-ctr/description.txt4
-rw-r--r--testing/tests/ikev2/alg-aes-ctr/evaltest.dat (renamed from testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat)6
-rwxr-xr-xtesting/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf (renamed from testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf)2
-rw-r--r--testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf (renamed from testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf)2
-rwxr-xr-xtesting/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf (renamed from testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf)2
-rw-r--r--testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf (renamed from testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf)2
-rw-r--r--testing/tests/ikev2/alg-aes-ctr/posttest.dat (renamed from testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat)0
-rw-r--r--testing/tests/ikev2/alg-aes-ctr/pretest.dat (renamed from testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat)0
-rw-r--r--testing/tests/ikev2/alg-aes-ctr/test.conf (renamed from testing/tests/ikev2/esp-alg-aes-ctr/test.conf)4
-rw-r--r--testing/tests/ikev2/alg-aes-gcm/description.txt5
-rw-r--r--testing/tests/ikev2/alg-aes-gcm/evaltest.dat (renamed from testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat)8
-rwxr-xr-xtesting/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf (renamed from testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf)2
-rw-r--r--testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf5
-rwxr-xr-xtesting/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf (renamed from testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf)2
-rw-r--r--testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/alg-aes-gcm/posttest.dat (renamed from testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat)0
-rw-r--r--testing/tests/ikev2/alg-aes-gcm/pretest.dat (renamed from testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat)0
-rw-r--r--testing/tests/ikev2/alg-aes-gcm/test.conf21
-rw-r--r--testing/tests/ikev2/alg-aes-xcbc/test.conf4
-rw-r--r--testing/tests/ikev2/alg-sha256-96/test.conf4
-rw-r--r--testing/tests/ikev2/alg-sha256/test.conf4
-rw-r--r--testing/tests/ikev2/alg-sha384/test.conf4
-rw-r--r--testing/tests/ikev2/alg-sha512/test.conf4
-rw-r--r--testing/tests/ikev2/compress/test.conf4
-rw-r--r--testing/tests/ikev2/dpd-hold/test.conf4
-rw-r--r--testing/tests/ikev2/esp-alg-aes-ccm/description.txt4
-rw-r--r--testing/tests/ikev2/esp-alg-aes-ctr/description.txt3
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gcm/description.txt4
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/esp-alg-aes-gmac/test.conf4
-rw-r--r--testing/tests/ikev2/esp-alg-null/test.conf4
-rw-r--r--testing/tests/ikev2/ip-pool-db/posttest.dat2
-rw-r--r--testing/tests/ikev2/ip-pool-wish/posttest.dat2
-rw-r--r--testing/tests/ikev2/ip-pool/posttest.dat2
-rw-r--r--testing/tests/ikev2/ip-split-pools-db/posttest.dat2
-rw-r--r--testing/tests/ikev2/ip-two-pools-db/posttest.dat2
-rw-r--r--testing/tests/ikev2/ip-two-pools/posttest.dat2
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat2
-rwxr-xr-xtesting/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown2
-rwxr-xr-xtesting/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown2
-rw-r--r--testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat2
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat2
-rw-r--r--testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default18
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/test.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default17
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/pretest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/test.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default19
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat3
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/test.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default18
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat3
-rw-r--r--testing/tests/ikev2/rw-eap-sim-only-radius/test.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/description.txt5
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat9
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.derbin0 -> 4534 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.derbin0 -> 3432 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.derbin0 -> 4652 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf12
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.derbin0 -> 4534 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.derbin0 -> 4542 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.derbin0 -> 4550 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.derbin0 -> 4550 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.derbin0 -> 3430 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.derbin0 -> 9262 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.derbin0 -> 9261 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.derbin0 -> 9261 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.derbin0 -> 9262 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.derbin0 -> 4651 bytes
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf12
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat10
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat9
-rw-r--r--testing/tests/ikev2/rw-eap-tls-fragments/test.conf (renamed from testing/tests/ikev2/esp-alg-aes-gcm/test.conf)4
-rw-r--r--testing/tests/ikev2/rw-eap-tls-only/description.txt4
-rw-r--r--testing/tests/ikev2/rw-eap-tls-only/evaltest.dat9
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-tls-only/posttest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-tls-only/pretest.dat7
-rw-r--r--testing/tests/ikev2/rw-eap-tls-only/test.conf21
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/description.txt5
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat11
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf4
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf13
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf120
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default42
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users1
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables84
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf12
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/posttest.dat5
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/pretest.dat8
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/test.conf26
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/description.txt8
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat12
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf26
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf13
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/pretest.dat15
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-block/test.conf26
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt11
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat14
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf4
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary2
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc5
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf25
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf120
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default44
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel32
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second23
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users2
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables84
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf12
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat8
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat15
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf26
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/description.txt10
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat19
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf4
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary2
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc5
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf25
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf120
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default44
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel32
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second36
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users2
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables84
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf35
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf13
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat8
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat18
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-radius/test.conf26
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/description.txt7
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat19
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf36
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf13
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat15
-rw-r--r--testing/tests/ikev2/rw-eap-tnc-tls/test.conf26
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/description.txt9
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/evaltest.dat19
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file1
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config3
-rwxr-xr-xtesting/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf36
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf13
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config3
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/pretest.dat15
-rw-r--r--testing/tests/ikev2/rw-eap-tnc/test.conf26
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-only/description.txt11
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat19
-rwxr-xr-xtesting/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-only/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-only/pretest.dat10
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-only/test.conf21
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt10
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat19
-rwxr-xr-xtesting/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf12
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat10
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf21
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/description.txt8
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat21
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf4
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf18
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf5
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf120
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default44
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel32
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users2
-rwxr-xr-xtesting/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf24
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables84
-rwxr-xr-xtesting/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf12
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat7
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat11
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/test.conf26
-rwxr-xr-xtesting/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown2
-rwxr-xr-xtesting/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf1
-rw-r--r--testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf1
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf2
-rwxr-xr-xtesting/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf1
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/alg-camellia/test.conf4
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/alg-camellia/test.conf4
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf2
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt5
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat10
-rwxr-xr-xtesting/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem17
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem18
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem8
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf26
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem17
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem20
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem7
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf13
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat4
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat7
-rw-r--r--testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf21
-rw-r--r--testing/tests/pfkey/alg-aes-xcbc/test.conf4
-rw-r--r--testing/tests/pfkey/alg-sha384/test.conf4
-rw-r--r--testing/tests/pfkey/alg-sha512/test.conf4
-rw-r--r--testing/tests/pfkey/esp-alg-null/test.conf4
-rw-r--r--testing/tests/sql/ip-pool-db-expired/posttest.dat2
-rw-r--r--testing/tests/sql/ip-pool-db-restart/posttest.dat2
-rw-r--r--testing/tests/sql/ip-pool-db/posttest.dat2
-rw-r--r--testing/tests/sql/ip-split-pools-db-restart/posttest.dat2
-rw-r--r--testing/tests/sql/ip-split-pools-db/posttest.dat2
679 files changed, 5889 insertions, 341 deletions
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
index a24c69735..cf51269a5 100755
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=camellia128-sha256-modp2048!
esp=camellia128-sha256!
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 x509 gcrypt hmac curl
+ load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
index a8e09f8ff..5571dc086 100755
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=camellia128-sha256-modp2048!
esp=camellia128-sha256!
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 x509 gcrypt hmac curl
+ load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/test.conf b/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
index 0848c3696..462427a8c 100755
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=serpent256-sha2_512-modp4096!
esp=serpent256-sha2_512!
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 x509 gcrypt hmac curl
+ load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
index 05edfc7d0..de3c1d1c7 100755
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=serpent256-sha2_512-modp4096!
esp=serpent256-sha2_512!
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 x509 gcrypt hmac curl
+ load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
index 838291f80..4c02699b7 100755
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=twofish256-sha2_512-modp4096!
esp=twofish256-sha2_512!
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 x509 gcrypt hmac curl
+ load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
index c2ef12853..d608ac2f6 100755
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=twofish256-sha2_512-modp4096!
esp=twofish256-sha2_512!
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
index afc3806b5..5e09a3a1d 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 x509 gcrypt hmac curl
+ load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 77491cfd8..697565a38 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = test-vectors pem pkcs1 x509 gcrypt hmac curl
+ load = test-vectors pem pkcs1 x509 gcrypt hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index 7d8cd1781..5cc54b24f 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl
+ load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 77491cfd8..697565a38 100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = test-vectors pem pkcs1 x509 gcrypt hmac curl
+ load = test-vectors pem pkcs1 x509 gcrypt hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index f0e57e827..92fcbd641 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac stroke kernel-netlink socket-default updown
+ load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
}
libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 208f1c36d..e483eba9d 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown
+ load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
}
libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index f0e57e827..92fcbd641 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac stroke kernel-netlink socket-default updown
+ load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
}
libstrongswan {
diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
index c2d2b14ac..83c10cfdc 100644
--- a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
index a42c7a5bd..3be21d055 100755
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev2
conn home
left=PH_IP_DAVE
@@ -17,5 +18,4 @@ conn home
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
- keyexchange=ikev2
auto=add
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
index 340b1a176..d90ab485c 100755
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index d84d916a5..7a066e53e 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ charon {
}
pluto {
- load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
+ load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
}
libstrongswan {
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
index 38db1e4fc..8cb117c7b 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
@@ -5,5 +5,5 @@ charon {
}
pluto {
- load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
+ load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
}
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
index d55638907..528e3f1b3 100755
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
index 94517ecbe..991ae4368 100755
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
index 3517077f9..57394c27a 100755
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=blowfish256-sha2_512-modp4096!
esp=blowfish256-sha2_512!
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
index 28dd532b3..4dbdc67b3 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
index 1b4cca222..427c5d180 100755
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=blowfish256-sha2_512-modp4096!
esp=blowfish256-sha2_512!
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
index 28dd532b3..4dbdc67b3 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-blowfish/test.conf
+++ b/testing/tests/ikev1/alg-blowfish/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
index 2611115cd..2d6f87b17 100755
--- a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes128-sha256-modp2048!
esp=aes128-sha256_96!
diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
index 758c7a29a..b2a686db0 100755
--- a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes128-sha256-modp2048!
esp=aes128-sha256_96!
diff --git a/testing/tests/ikev1/alg-sha256-96/test.conf b/testing/tests/ikev1/alg-sha256-96/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-sha256-96/test.conf
+++ b/testing/tests/ikev1/alg-sha256-96/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
index 0e1db6fbe..66476b83e 100755
--- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes128-sha256-modp2048!
esp=aes128-sha256!
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
index 584ffda19..2b97ff4f3 100755
--- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes128-sha256-modp2048!
esp=aes128-sha256!
diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev1/alg-sha256/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-sha256/test.conf
+++ b/testing/tests/ikev1/alg-sha256/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
index c60c6615c..42df1dccd 100755
--- a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes192-sha384-modp3072!
esp=aes192-sha384!
diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
index 2d361b38a..a75d370aa 100755
--- a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes192-sha384-modp3072!
esp=aes192-sha384!
diff --git a/testing/tests/ikev1/alg-sha384/test.conf b/testing/tests/ikev1/alg-sha384/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-sha384/test.conf
+++ b/testing/tests/ikev1/alg-sha384/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
index 6bd3ac8c7..329de395c 100755
--- a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes256-sha512-modp4096!
esp=aes256-sha512!
diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
index a28269155..8da459a8a 100755
--- a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes256-sha512-modp4096!
esp=aes256-sha512!
diff --git a/testing/tests/ikev1/alg-sha512/test.conf b/testing/tests/ikev1/alg-sha512/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/alg-sha512/test.conf
+++ b/testing/tests/ikev1/alg-sha512/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
index cdd6929ff..a84b3a6b2 100755
--- a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
index 285dc7234..ce3903596 100755
--- a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_DAVE
leftcert=daveCert.pem
leftid=dave@strongswan.org
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
index a0250f597..11cf4d5d1 100755
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
index 53d719d9d..1a47aeb7d 100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
openac {
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
index 45118094b..f5050fef1 100755
--- a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
compress=yes
conn home
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
index a370ca458..aaf13f5fc 100755
--- a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
compress=yes
conn rw
diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/compress/test.conf
+++ b/testing/tests/ikev1/compress/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
index 98e7df65f..bb1879b1d 100755
--- a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
index 25906e890..ec0bc2e88 100755
--- a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
index 1bc6cf4fb..5a7668c64 100755
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
@@ -17,6 +17,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=2
+ keyexchange=ikev1
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
index fdfff13f0..1b80c0ddd 100755
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -17,6 +17,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=2
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
index e0c758e74..77f6cfcb0 100755
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolRevokedCert.pem
leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
index d3603b7aa..1c011dccb 100755
--- a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
index d240302b6..b4bc2101c 100755
--- a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
index d3603b7aa..1c011dccb 100755
--- a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
index 6c2de2e1e..3fbad9070 100755
--- a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
index 8d07e42ba..0b9f891bd 100755
--- a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
index 307d0b6b4..4d5bff62c 100755
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
scepclient {
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
index ce7afbaf3..dd7ae0b20 100755
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn carol
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
scepclient {
diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
index 5c0763734..caad279bb 100755
--- a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn nat-t
left=%defaultroute
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
index e79b2ca35..32d2ab0f6 100755
--- a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn nat-t
left=%defaultroute
diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
index 3533c3f8b..7de7a951e 100755
--- a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn nat-t
left=%defaultroute
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
index a50275d98..34490a13a 100755
--- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
dpdaction=clear
dpddelay=10
dpdtimeout=30
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
index e6938e79a..3c0b0bf15 100755
--- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn moon
left=%defaultroute
diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
index ae9b35e97..9f1aded0f 100755
--- a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
dpdaction=restart
dpddelay=5
dpdtimeout=25
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
index d8b885a88..acf503f8e 100755
--- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn moon
left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
index d8b885a88..acf503f8e 100755
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn moon
left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
index bf39d7527..ee28eebf3 100755
--- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=%defaultroute
leftnexthop=%direct
leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
index d8b885a88..acf503f8e 100755
--- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn moon
left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
index d8b885a88..acf503f8e 100755
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn moon
left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
index bf39d7527..ee28eebf3 100755
--- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=%defaultroute
leftnexthop=%direct
leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
index 1f964d0de..0f37e6188 100755
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn moon
left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
index c098ffd90..ec35eac9a 100755
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn moon
left=%defaultroute
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
index 45ec8094b..21848bc1c 100755
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=%defaultroute
leftnexthop=%direct
leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
index 6af3a88ac..299b6a831 100755
--- a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
auth=ah
ike=aes128-sha
esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
index e1bc08ee4..45ada023f 100755
--- a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
auth=ah
ike=aes128-sha
esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
index 8a9f033f1..168e5d2a8 100755
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
auth=ah
ike=aes128-sha
esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
index fb0e59d86..b89d8e861 100755
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
auth=ah
ike=aes128-sha
esp=aes128-sha1
diff --git a/testing/tests/ikev1/esp-ah-tunnel/test.conf b/testing/tests/ikev1/esp-ah-tunnel/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/esp-ah-tunnel/test.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
index ed905d05f..75ce0fbbe 100755
--- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes256-sha2_256-modp2048!
esp=aes256-aesxcbc!
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
index f1b7ff56d..c2e0a6dde 100755
--- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes256-sha2_256-modp2048!
esp=aes256-aesxcbc!
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
+++ b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
index feeef7901..a5715a7f1 100755
--- a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=3des-md5-modp1024!
esp=des-md5!
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
index be4c9aced..0329a533d 100755
--- a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=3des-md5-modp1024!
esp=des-md5!
diff --git a/testing/tests/ikev1/esp-alg-des/test.conf b/testing/tests/ikev1/esp-alg-des/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/esp-alg-des/test.conf
+++ b/testing/tests/ikev1/esp-alg-des/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
index 3c9fdbb71..fe76579ac 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes-sha1
esp=null-sha1!
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
index 62f17df49..b768b8ee4 100755
--- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes-sha1!
esp=null-sha1!
diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev1/esp-alg-null/test.conf
+++ b/testing/tests/ikev1/esp-alg-null/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
index 21997940b..46a619016 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=3des-sha1
esp=3des-sha1
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 14f58ccc3..86a15c96d 100755
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes128-sha1
esp=aes128-sha1!
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
index 7e2de30cd..052541b21 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=3des-sha,aes128-sha1
esp=3des-sha1,aes128-sha1
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
index 14f58ccc3..86a15c96d 100755
--- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes128-sha1
esp=aes128-sha1!
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
index feeef7901..a5715a7f1 100755
--- a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=3des-md5-modp1024!
esp=des-md5!
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
index 147d8ffaa..e5fed2f06 100755
--- a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
index b984b8d14..95739fe51 100755
--- a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn host-host
right=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
index bb409adcc..a0d600a6f 100755
--- a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn host-host
right=PH_IP_SUN
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
index 49c84d894..b56189c6c 100755
--- a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn host-host
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
index e517b39cd..1f2ade20b 100755
--- a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn host-host
left=PH_IP_SUN
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
index 63ad1c01d..d75a7022e 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=3des-sha1
esp=3des-sha1
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 1ea5fe7a5..460ff749c 100755
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes128-sha1!
esp=aes128-sha1
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
index 9272bdc7f..36bdc0fa4 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=3des-sha1,aes128-sha1
esp=3des-sha1,aes128-sha1
conn home
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
index 1ea5fe7a5..460ff749c 100755
--- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes128-sha1!
esp=aes128-sha1
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
index 90eb30a9b..630135adc 100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
}
libhydra {
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
index 90eb30a9b..630135adc 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
}
libhydra {
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
index 90eb30a9b..630135adc 100644
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
}
libhydra {
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
index ba5dbdd1d..4c40f76cc 100644
--- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
index f05916614..3d6addb62 100755
--- a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn alice
also=home
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
index 44644f2af..0b93eb58f 100755
--- a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn alice
also=home
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
index ce760a473..7f5bb812f 100755
--- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=192.168.0.1
leftsourceip=10.1.0.1
leftcert=moonCert.pem
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
index 21493adc3..fb989daff 100644
--- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
dns1 = PH_IP_WINNETOU
dns2 = PH_IP6_VENUS
}
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
index 594f2c59b..64c97eb16 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
rekeymargin=3m
rekey=no
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
index 469145fb8..ba47559a0 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
index 79be57226..8b125ab80 100755
--- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
modeconfig=push
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
index 797025c4d..f8d952d21 100644
--- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
dns1 = PH_IP_WINNETOU
dns2 = PH_IP_VENUS
}
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
index b019c5a33..4cea3d81b 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
right=PH_IP_CAROL
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
index 5b38a2041..cf96ddeca 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
right=PH_IP_DAVE
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
index 911531edb..b01f5b112 100755
--- a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightsourceip=PH_IP_MOON1
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
index 57ec7040e..9c75434c2 100755
--- a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
index 3179faa05..726998e19 100755
--- a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
index c93224ae5..56f13324a 100644
--- a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
index ce26fc5e9..37278081e 100755
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
rekey=no
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
index 797025c4d..f8d952d21 100644
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
dns1 = PH_IP_WINNETOU
dns2 = PH_IP_VENUS
}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
index cfdc692d7..d9e5b119e 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
index fecce5efa..bf83264af 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_DAVE
leftcert=daveCert.pem
right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
index 994792f7d..50b896541 100755
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
@@ -26,6 +26,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
index 4d916ab36..71358d6c6 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
index 04a512eb7..4d42b1419 100755
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
index a9e648f5e..f91ca63a8 100755
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
index 1da39e483..39a1aa825 100755
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
index 8e41bb124..ca5919d5c 100755
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn duck
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
index d240302b6..b4bc2101c 100755
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
index fdca83e18..0b9917b53 100755
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
index d4ce57333..cf93bb231 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
index ea445522e..5f04445d2 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_DAVE
leftcert=daveCert.pem
right=PH_IP_MOON
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
index cf952be47..f79c501a8 100755
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
index 0adb2593d..d11724c28 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
leftsendcert=ifasked
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
index 0e8e413e6..2d80aad8a 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_DAVE
leftcert=daveCert.pem
leftsendcert=ifasked
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
index 1e00096c8..9b97015fd 100755
--- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftsendcert=ifasked
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
index 82576bb2b..1ee1b7749 100755
--- a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn host-net
left=192.168.0.1
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
index 506417867..57496e10e 100755
--- a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn host-net
left=192.168.0.2
diff --git a/testing/tests/ikev1/nat-two-rw-mark/description.txt b/testing/tests/ikev1/nat-two-rw-mark/description.txt
new file mode 100644
index 000000000..2a93d11d8
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/description.txt
@@ -0,0 +1,16 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
+after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
+<p/>
+In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
+<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
+the <b>mark</b> parameter in ipsec.conf.
+<p/>
+<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
+and from <b>alice</b> and <b>venus</b>, respectively.
+<p/>
+The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts
+iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules
+that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b>
+and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat
new file mode 100644
index 000000000..fa64c3d88
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::alice.*alice@strongswan.org::YES
+sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::venus.*venus.strongswan.org::YES
+sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES
+sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES
+bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..4ed556226
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug=control
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ nat_traversal=yes
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn nat-t
+ left=%defaultroute
+ leftsubnet=10.1.0.0/25
+ leftcert=aliceCert.pem
+ leftid=alice@strongswan.org
+ leftfirewall=yes
+ lefthostaccess=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..2b346430e
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug="control parsing" #parsing to get knl 2 messages
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ nat_traversal=yes
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn alice
+ rightid=alice@strongswan.org
+ mark=10/0xffffffff
+ also=sun
+ auto=add
+
+conn venus
+ rightid=@venus.strongswan.org
+ mark=20 #0xffffffff is used by default
+ also=sun
+ auto=add
+
+conn sun
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftupdown=/etc/mark_updown
+ right=%any
+ rightsubnet=10.1.0.0/25
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..0d22e684d
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown
@@ -0,0 +1,527 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway communica-
+# tions is IPv6, then a suffix of -v6 is added to the
+# verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the ipsec interface to be used.
+#
+# PLUTO_REQID
+# is the requid of the ESP policy
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_MY_ID
+# is the ID of our host.
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / max (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# if non-empty, then the source address for the route will be
+# set to this IP address.
+#
+# PLUTO_MY_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_MY_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on our side.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_ID
+# is the ID of our peer.
+#
+# PLUTO_PEER_CA
+# is the CA which issued the cert of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client sub-
+# net. If the client is just the peer, this will be
+# the peer's own IP address / max (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_PEER_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on the peer side.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+ echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+ echo "$0: called by obsolete Pluto?" >&2
+ exit 2
+ ;;
+1.*) ;;
+*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+ exit 2
+ ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':') # no parameters
+ ;;
+iptables:iptables) # due to (left/right)firewall; for default script only
+ ;;
+custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+*) echo "$0: unknown parameters \`$*'" >&2
+ exit 2
+ ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doroute add
+ ip route flush cache
+}
+downroute() {
+ doroute delete
+ ip route flush cache
+}
+
+addsource() {
+ st=0
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+ then
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
+doroute() {
+ st=0
+
+ if [ -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ for dir in /etc/sysconfig /etc/conf.d; do
+ if [ -f "$dir/defaultsource" ]
+ then
+ . "$dir/defaultsource"
+ fi
+ done
+
+ if [ -n "$DEFAULTSOURCE" ]
+ then
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ fi
+ fi
+
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # leave because no route entry is required
+ return $st
+ fi
+
+ parms1="$PLUTO_PEER_CLIENT"
+
+ if [ -n "$PLUTO_NEXT_HOP" ]
+ then
+ parms2="via $PLUTO_NEXT_HOP"
+ else
+ parms2="via $PLUTO_PEER"
+ fi
+ parms2="$parms2 dev $PLUTO_INTERFACE"
+
+ parms3=
+ if [ -n "$PLUTO_MY_SOURCEIP" ]
+ then
+ if test "$1" = "add"
+ then
+ addsource
+ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+ then
+ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+ fi
+ fi
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+ fi
+
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
+ ;;
+ *) it="ip route $1 $parms1 $parms2 $parms3"
+ ;;
+ esac
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: doroute \`$it' failed ($oops)" >&2
+ fi
+ return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+ KLIPS=1
+ IPSEC_POLICY_IN=""
+ IPSEC_POLICY_OUT=""
+else
+ KLIPS=
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+ if [ -n "$PLUTO_UDP_ENC" ]
+ then
+ SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+ else
+ SET_MARK="-p esp"
+ fi
+ SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # exit because no route will be added,
+ # so that existing routes can stay
+ exit 0
+ fi
+
+ # delete possibly-existing route (preliminary to adding a route)
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ parms1="0.0.0.0/1"
+ parms2="128.0.0.0/1"
+ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+ ;;
+ *)
+ parms="$PLUTO_PEER_CLIENT"
+ it="ip route delete $parms 2>&1"
+ oops="`ip route delete $parms 2>&1`"
+ ;;
+ esac
+ status="$?"
+ if test " $oops" = " " -a " $status" != " 0"
+ then
+ oops="silent error, exit status $status"
+ fi
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+ status=0
+ ;;
+ esac
+ if test " $oops" != " " -o " $status" != " 0"
+ then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+ exit $status
+ ;;
+route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
+ downroute
+ ;;
+up-host:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ if [ -n "$PLUTO_MARK_IN" ]
+ then
+ iptables -t mangle -A PREROUTING $SET_MARK
+ fi
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ if [ -n "$PLUTO_MARK_IN" ]
+ then
+ iptables -t mangle -D PREROUTING $SET_MARK
+ fi
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ if [ -n "$PLUTO_MARK_IN" ]
+ then
+ iptables -t mangle -A PREROUTING $SET_MARK
+ fi
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ if [ -n "$PLUTO_MARK_IN" ]
+ then
+ iptables -t mangle -D PREROUTING $SET_MARK
+ fi
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..0be3477c1
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug=control
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ nat_traversal=yes
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn nat-t
+ left=%defaultroute
+ leftsubnet=10.1.0.0/25
+ leftcert=venusCert.pem
+ leftid=@venus.strongswan.org
+ leftfirewall=yes
+ lefthostaccess=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-mark/posttest.dat b/testing/tests/ikev1/nat-two-rw-mark/posttest.dat
new file mode 100644
index 000000000..89d5f534b
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/posttest.dat
@@ -0,0 +1,11 @@
+sun::iptables -t mangle -v -n -L PREROUTING
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+moon::conntrack -F
+sun::conntrack -F
+sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev1/nat-two-rw-mark/pretest.dat b/testing/tests/ikev1/nat-two-rw-mark/pretest.dat
new file mode 100644
index 000000000..310e5be71
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/pretest.dat
@@ -0,0 +1,21 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500 -j SNAT --to PH_IP_MOON:510
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500 -j SNAT --to PH_IP_MOON:520
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
+moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2
+alice::ipsec up nat-t
+venus::sleep 2
+venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/ikev1/nat-two-rw-mark/test.conf b/testing/tests/ikev1/nat-two-rw-mark/test.conf
new file mode 100644
index 000000000..ae3c190b8
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-mark/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
index e8576f0e7..eee3c45e8 100755
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn nat-t
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
index ebd735a11..a7c500fe2 100755
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn nat-t
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
index e8576f0e7..eee3c45e8 100755
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn nat-t
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
index 83d2b268a..a38c66023 100755
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
index 30c802be8..71896491e 100644
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
index d5b7c39fa..6a373e29f 100755
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
index 30c802be8..71896491e 100644
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
index bbd1f3a06..094ab3bed 100755
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
index 30c802be8..71896491e 100644
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
index abe91e6ee..428b10ce6 100755
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
@@ -10,6 +10,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
index 30c802be8..71896491e 100644
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
index 7302a423b..ad0359f01 100755
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn net-net
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
index 7633f5c8b..9bbff9039 100755
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn net-net
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
index 5eedd9f28..c63ec2f30 100755
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn net-net
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
index 24bd66f53..e21ee9910 100755
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn net-net
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
index eabb76bf7..bc72fab0f 100755
--- a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
index 18b18f3ea..837c1ab56 100755
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
index 4bf0f97aa..c50c4c594 100644
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
index 3f2bc48c0..efd9c798a 100755
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
index 4bf0f97aa..c50c4c594 100644
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/net2net-same-nets/description.txt b/testing/tests/ikev1/net2net-same-nets/description.txt
new file mode 100644
index 000000000..d0eb3374f
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/description.txt
@@ -0,0 +1,15 @@
+A connection between two identical <b>10.0.0.0/14</b> networks behind the gateways <b>moon</b>
+and <b>sun</b> is set up. In order to make network routing work, the subnet behind <b>moon</b>
+sees the subnet behind <b>sun</b> as <b>10.4.0.0/14</b> whereas the subnet behind <b>sun</b>
+sees the subnet behind <b>moon</b> as <b>10.8.0.0/14</b>. The necessary network mappings are
+done on gateway <b>sun</b> using the iptables <b>MARK</b> and <b>NETMAP</b> targets.
+<p/>
+Upon the successful establishment of the IPsec tunnel, on gateway <b>moon</b> the directive
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic whereas on gateway <b>sun</b> the script indicated by
+<b>leftupdown=/etc/mark_updown</b> inserts iptables rules that set marks defined in the
+connection definition of <b>ipsec.conf</b> both on the inbound and outbound traffic, create
+the necessary NETMAP operations and forward the tunneled traffic.
+<p/>
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa.
diff --git a/testing/tests/ikev1/net2net-same-nets/evaltest.dat b/testing/tests/ikev1/net2net-same-nets/evaltest.dat
new file mode 100644
index 000000000..b5ad0628e
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::net-net.*IPsec SA established::YES
+sun::ipsec statusall::net-net.*IPsec SA established::YES
+alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
+bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
+bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES
+bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..30af017ff
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn net-net
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.0.0.0/14
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.4.0.0/14
+ auto=add
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..5e924cf25
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+ plutodebug=control
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn net-net
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftsubnet=10.4.0.0/14
+ leftupdown=/etc/mark_updown
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.0.0.0/14
+ mark_in=8
+ mark_out=4
+ auto=add
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..0bfdcad85
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -0,0 +1,376 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway communica-
+# tions is IPv6, then a suffix of -v6 is added to the
+# verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the ipsec interface to be used.
+#
+# PLUTO_REQID
+# is the requid of the ESP policy
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_MY_ID
+# is the ID of our host.
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / max (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# if non-empty, then the source address for the route will be
+# set to this IP address.
+#
+# PLUTO_MY_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_MY_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on our side.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_ID
+# is the ID of our peer.
+#
+# PLUTO_PEER_CA
+# is the CA which issued the cert of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client sub-
+# net. If the client is just the peer, this will be
+# the peer's own IP address / max (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_PEER_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on the peer side.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# check parameter(s)
+case "$1:$*" in
+':') # no parameters
+ ;;
+iptables:iptables) # due to (left/right)firewall; for default script only
+ ;;
+custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+*) echo "$0: unknown parameters \`$*'" >&2
+ exit 2
+ ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doroute add
+ ip route flush cache
+}
+downroute() {
+ doroute delete
+ ip route flush cache
+}
+
+addsource() {
+ st=0
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+ then
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
+doroute() {
+ st=0
+
+ if [ -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ for dir in /etc/sysconfig /etc/conf.d; do
+ if [ -f "$dir/defaultsource" ]
+ then
+ . "$dir/defaultsource"
+ fi
+ done
+
+ if [ -n "$DEFAULTSOURCE" ]
+ then
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ fi
+ fi
+
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # leave because no route entry is required
+ return $st
+ fi
+
+ parms1="$PLUTO_PEER_CLIENT"
+
+ if [ -n "$PLUTO_NEXT_HOP" ]
+ then
+ parms2="via $PLUTO_NEXT_HOP"
+ else
+ parms2="via $PLUTO_PEER"
+ fi
+ parms2="$parms2 dev $PLUTO_INTERFACE"
+
+ parms3=
+ if [ -n "$PLUTO_MY_SOURCEIP" ]
+ then
+ if test "$1" = "add"
+ then
+ addsource
+ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+ then
+ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+ fi
+ fi
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+ fi
+
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
+ ;;
+ *) it="ip route $1 $parms1 $parms2 $parms3"
+ ;;
+ esac
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: doroute \`$it' failed ($oops)" >&2
+ fi
+ return $st
+}
+# define NETMAP
+SAME_NET=$PLUTO_PEER_CLIENT
+IN_NET=$PLUTO_MY_CLIENT
+OUT_NET="10.8.0.0/14"
+
+# define internal interface
+INT_INTERFACE="eth1"
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+ if [ -n "$PLUTO_UDP_ENC" ]
+ then
+ SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC"
+ else
+ SET_MARK_IN="-p esp"
+ fi
+ SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# is there an outbound mark to be set?
+if [ -n "$PLUTO_MARK_OUT" ]
+then
+ SET_MARK_OUT="-i $INT_INTERFACE -s $SAME_NET -d $OUT_NET -j MARK --set-mark $PLUTO_MARK_OUT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # exit because no route will be added,
+ # so that existing routes can stay
+ exit 0
+ fi
+
+ # delete possibly-existing route (preliminary to adding a route)
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ parms1="0.0.0.0/1"
+ parms2="128.0.0.0/1"
+ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+ ;;
+ *)
+ parms="$PLUTO_PEER_CLIENT"
+ it="ip route delete $parms 2>&1"
+ oops="`ip route delete $parms 2>&1`"
+ ;;
+ esac
+ status="$?"
+ if test " $oops" = " " -a " $status" != " 0"
+ then
+ oops="silent error, exit status $status"
+ fi
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+ status=0
+ ;;
+ esac
+ if test " $oops" != " " -o " $status" != " 0"
+ then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+ exit $status
+ ;;
+route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
+ downroute
+ ;;
+up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ if [ -n "$PLUTO_MARK_IN" ]
+ then
+ iptables -t mangle -A PREROUTING $SET_MARK_IN
+ iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
+ -d $IN_NET -j NETMAP --to $SAME_NET
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
+ iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \
+ -s $SAME_NET -j NETMAP --to $OUT_NET
+ fi
+ if [ -n "$PLUTO_MARK_OUT" ]
+ then
+ iptables -t mangle -A PREROUTING $SET_MARK_OUT
+ iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+ -d $OUT_NET -j NETMAP --to $SAME_NET
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+ iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+ -s $SAME_NET -j NETMAP --to $IN_NET
+ fi
+ ;;
+down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ if [ -n "$PLUTO_MARK_IN" ]
+ then
+ iptables -t mangle -D PREROUTING $SET_MARK_IN
+ iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
+ -d $IN_NET -j NETMAP --to $SAME_NET
+ iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
+ iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \
+ -s $SAME_NET -j NETMAP --to $OUT_NET
+ fi
+ if [ -n "$PLUTO_MARK_OUT" ]
+ then
+ iptables -t mangle -D PREROUTING $SET_MARK_OUT
+ iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+ fi
+ ;;
+*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/testing/tests/ikev1/net2net-same-nets/posttest.dat b/testing/tests/ikev1/net2net-same-nets/posttest.dat
new file mode 100644
index 000000000..e75e66650
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/posttest.dat
@@ -0,0 +1,7 @@
+sun::iptables -t mangle -n -v -L PREROUTING
+sun::iptables -t nat -n -v -L
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+sun::conntrack -F
diff --git a/testing/tests/ikev1/net2net-same-nets/pretest.dat b/testing/tests/ikev1/net2net-same-nets/pretest.dat
new file mode 100644
index 000000000..2d7a78acb
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-same-nets/test.conf b/testing/tests/ikev1/net2net-same-nets/test.conf
new file mode 100644
index 000000000..1971a33ab
--- /dev/null
+++ b/testing/tests/ikev1/net2net-same-nets/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
index e2e43cecd..acb12e7f3 100755
--- a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
index 9a1f0934b..a62964829 100755
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolRevokedCert.pem
leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
index 9b0c9b534..cd2ab0aca 100755
--- a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
index 5624f4fcf..c79b1c3e2 100755
--- a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
index 9b0c9b534..cd2ab0aca 100755
--- a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
@@ -16,6 +16,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
index 557fb62eb..25eec2a3e 100755
--- a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
right=PH_IP_SUN
diff --git a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
index 9276f1f90..7541aa894 100755
--- a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
left=PH_IP_SUN
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
index 3adfdc0b8..48df689af 100755
--- a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
index e1ce14973..c4bfebda1 100755
--- a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
index 913e6d91a..aae781b69 100755
--- a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home-icmp
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
index d941e81ef..7b80a299e 100755
--- a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn rw-icmp
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
index dfc0143ed..2bb557410 100755
--- a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
leftid=carol@strongswan.org
diff --git a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
index e1ce14973..c4bfebda1 100755
--- a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
index 6db69096b..7c2bb3a98 100755
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
scepclient {
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
scepclient {
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 72ff765c3..7403971e9 100644
--- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 72ff765c3..7403971e9 100644
--- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-mark-in-out/description.txt b/testing/tests/ikev1/rw-mark-in-out/description.txt
new file mode 100644
index 000000000..4c35081b1
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/description.txt
@@ -0,0 +1,16 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
+gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10
+and 10.3.0.20, respectively.
+<p/>
+In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
+<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
+the <b>mark_in</b> and <b>mark_out</b> parameters in ipsec.conf.
+<p/>
+<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
+and from <b>alice</b> and <b>venus</b>, respectively.
+<p/>
+The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts
+iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules
+that let pass the tunneled traffic. In order to test the tunnel, the hosts <b>alice</b>
+and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/rw-mark-in-out/evaltest.dat b/testing/tests/ikev1/rw-mark-in-out/evaltest.dat
new file mode 100644
index 000000000..168b3dfb9
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+venus::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::alice.*alice@strongswan.org::YES
+sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::venus.*venus.strongswan.org::YES
+sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES
+sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
+moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
+moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
+moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES
+bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..5594bbf52
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,77 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow ESP
+ iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow MOBIKE
+ iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+ # allow crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..4256006c0
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug=control
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn home
+ left=%defaultroute
+ leftsubnet=10.1.0.0/25
+ leftcert=aliceCert.pem
+ leftid=alice@strongswan.org
+ leftfirewall=yes
+ lefthostaccess=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..83fe9eed2
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,37 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug="control"
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn alice
+ rightid=alice@strongswan.org
+ mark_in=10/0xffffffff
+ mark_out=11/0xffffffff
+ also=sun
+ auto=add
+
+conn venus
+ rightid=@venus.strongswan.org
+ mark_in=20 #0xffffffff is used by default
+ mark_out=21 #0xffffffff is used by default
+ also=sun
+ auto=add
+
+conn sun
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftupdown=/etc/mark_updown
+ right=%any
+ rightsubnet=10.1.0.0/25
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown
new file mode 100755
index 000000000..0d22e684d
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -0,0 +1,527 @@
+#! /bin/sh
+# updown script setting inbound marks on ESP traffic in the mangle chain
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway communica-
+# tions is IPv6, then a suffix of -v6 is added to the
+# verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the ipsec interface to be used.
+#
+# PLUTO_REQID
+# is the requid of the ESP policy
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_MY_ID
+# is the ID of our host.
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / max (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# if non-empty, then the source address for the route will be
+# set to this IP address.
+#
+# PLUTO_MY_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_MY_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on our side.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_ID
+# is the ID of our peer.
+#
+# PLUTO_PEER_CA
+# is the CA which issued the cert of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client sub-
+# net. If the client is just the peer, this will be
+# the peer's own IP address / max (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_PEER_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on the peer side.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+ echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+ echo "$0: called by obsolete Pluto?" >&2
+ exit 2
+ ;;
+1.*) ;;
+*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+ exit 2
+ ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':') # no parameters
+ ;;
+iptables:iptables) # due to (left/right)firewall; for default script only
+ ;;
+custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+*) echo "$0: unknown parameters \`$*'" >&2
+ exit 2
+ ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doroute add
+ ip route flush cache
+}
+downroute() {
+ doroute delete
+ ip route flush cache
+}
+
+addsource() {
+ st=0
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+ then
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
+doroute() {
+ st=0
+
+ if [ -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ for dir in /etc/sysconfig /etc/conf.d; do
+ if [ -f "$dir/defaultsource" ]
+ then
+ . "$dir/defaultsource"
+ fi
+ done
+
+ if [ -n "$DEFAULTSOURCE" ]
+ then
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ fi
+ fi
+
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # leave because no route entry is required
+ return $st
+ fi
+
+ parms1="$PLUTO_PEER_CLIENT"
+
+ if [ -n "$PLUTO_NEXT_HOP" ]
+ then
+ parms2="via $PLUTO_NEXT_HOP"
+ else
+ parms2="via $PLUTO_PEER"
+ fi
+ parms2="$parms2 dev $PLUTO_INTERFACE"
+
+ parms3=
+ if [ -n "$PLUTO_MY_SOURCEIP" ]
+ then
+ if test "$1" = "add"
+ then
+ addsource
+ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+ then
+ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+ fi
+ fi
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+ fi
+
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
+ ;;
+ *) it="ip route $1 $parms1 $parms2 $parms3"
+ ;;
+ esac
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: doroute \`$it' failed ($oops)" >&2
+ fi
+ return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+ KLIPS=1
+ IPSEC_POLICY_IN=""
+ IPSEC_POLICY_OUT=""
+else
+ KLIPS=
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# is there an inbound mark to be set?
+if [ -n "$PLUTO_MARK_IN" ]
+then
+ if [ -n "$PLUTO_UDP_ENC" ]
+ then
+ SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+ else
+ SET_MARK="-p esp"
+ fi
+ SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # exit because no route will be added,
+ # so that existing routes can stay
+ exit 0
+ fi
+
+ # delete possibly-existing route (preliminary to adding a route)
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ parms1="0.0.0.0/1"
+ parms2="128.0.0.0/1"
+ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+ ;;
+ *)
+ parms="$PLUTO_PEER_CLIENT"
+ it="ip route delete $parms 2>&1"
+ oops="`ip route delete $parms 2>&1`"
+ ;;
+ esac
+ status="$?"
+ if test " $oops" = " " -a " $status" != " 0"
+ then
+ oops="silent error, exit status $status"
+ fi
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+ status=0
+ ;;
+ esac
+ if test " $oops" != " " -o " $status" != " 0"
+ then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+ exit $status
+ ;;
+route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
+ downroute
+ ;;
+up-host:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ if [ -n "$PLUTO_MARK_IN" ]
+ then
+ iptables -t mangle -A PREROUTING $SET_MARK
+ fi
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ if [ -n "$PLUTO_MARK_IN" ]
+ then
+ iptables -t mangle -D PREROUTING $SET_MARK
+ fi
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ if [ -n "$PLUTO_MARK_IN" ]
+ then
+ iptables -t mangle -A PREROUTING $SET_MARK
+ fi
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ if [ -n "$PLUTO_MARK_IN" ]
+ then
+ iptables -t mangle -D PREROUTING $SET_MARK
+ fi
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables
new file mode 100755
index 000000000..5594bbf52
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables
@@ -0,0 +1,77 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow ESP
+ iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow MOBIKE
+ iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+ # allow crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..e7561ebbe
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug=control
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev1
+
+conn home
+ left=%defaultroute
+ leftsubnet=10.1.0.0/25
+ leftcert=venusCert.pem
+ leftid=@venus.strongswan.org
+ leftfirewall=yes
+ lefthostaccess=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
diff --git a/testing/tests/ikev1/rw-mark-in-out/posttest.dat b/testing/tests/ikev1/rw-mark-in-out/posttest.dat
new file mode 100644
index 000000000..fae79271b
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/posttest.dat
@@ -0,0 +1,12 @@
+sun::iptables -t mangle -v -n -L PREROUTING
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+sun::ip route del 10.1.0.0/16 via PH_IP_MOON
+sun::conntrack -F
+sun::rm /etc/mark_updown
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev1/rw-mark-in-out/pretest.dat b/testing/tests/ikev1/rw-mark-in-out/pretest.dat
new file mode 100644
index 000000000..427e5c67f
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/pretest.dat
@@ -0,0 +1,18 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
+sun::ip route add 10.1.0.0/16 via PH_IP_MOON
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11
+sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2
+alice::ipsec up home
+venus::sleep 2
+venus::ipsec up home
+venus::sleep 2
diff --git a/testing/tests/ikev1/rw-mark-in-out/test.conf b/testing/tests/ikev1/rw-mark-in-out/test.conf
new file mode 100644
index 000000000..ae3c190b8
--- /dev/null
+++ b/testing/tests/ikev1/rw-mark-in-out/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
index f0e4036c0..ffa211299 100755
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn home
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
index 864d014de..5f7cdedd2 100755
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn rw-carol
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
index f0e4036c0..ffa211299 100755
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn home
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
index f3a6db107..efec3b33d 100755
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn rw
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index d76337996..0d2a5d2c4 100755
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn home
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index 025f335b2..41582eaef 100755
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn rw
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
index 980523a5e..c040fe88f 100755
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
authby=secret
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
index d57d790d1..f0dbeb323 100755
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
index 85e5f1aee..453cdc07c 100644
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
index 08a41e612..f2a15af0a 100755
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=aes128,serpent128,twofish128,3des
conn home
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
index b8900c082..02270e004 100755
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
index dbfac50e2..dbd3adb4c 100755
--- a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
@@ -8,6 +8,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn rw-psk
authby=secret
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
index db281ef80..f6859b8a4 100755
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
scepclient {
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
index f3c2be9a1..f14352bf8 100755
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn carol
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
index 737117cc9..e589a9425 100644
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
}
scepclient {
diff --git a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
index cd751df3d..af2fcc5dc 100755
--- a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
also=host-host
diff --git a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
index e78231f0c..2bd4985ca 100755
--- a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
also=host-host
diff --git a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
index 57ec7040e..9c75434c2 100755
--- a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
index 3179faa05..726998e19 100755
--- a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
index 7cd938628..bd47f9e09 100644
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
+++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
@@ -5,6 +5,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
include /etc/ipsec.host
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
index a2af4e9f8..2a1dad5c6 100755
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
index e48b1a78c..e10e9d45c 100755
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
index b9710cb14..67e97ebc2 100755
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
index b4ad3c011..4dfa345f4 100755
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
right=PH_IP_CAROL
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
index eafcf5e55..b65d7a690 100755
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn rw
right=PH_IP_MOON
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
index 71aa4decf..e0ef16930 100755
--- a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
index 471e9e833..63a8c92b5 100755
--- a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
index d4ce57333..cf93bb231 100755
--- a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_CAROL
leftcert=carolCert.pem
right=PH_IP_MOON
diff --git a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
index ea445522e..5f04445d2 100755
--- a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_DAVE
leftcert=daveCert.pem
right=PH_IP_MOON
diff --git a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
index 8952bc92f..39b031551 100755
--- a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
index 30b657662..e3cf9b15d 100755
--- a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn system
left=PH_IP_ALICE
diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
index ab3287aee..61ce28e6b 100755
--- a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn alice
right=PH_IP_ALICE
diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
index bb9897c79..fa2dc953e 100755
--- a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
@@ -12,6 +12,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn system
left=PH_IP_VENUS
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
index aa0ae1289..b7402d24b 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthpsk
conn home
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
index dbd431cc2..e3f377d18 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth
+ load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
index 0243f5afb..8f9226dd1 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthpsk
conn home
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
index dbd431cc2..e3f377d18 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth
+ load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
index 4206f8916..452187f11 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthpsk
xauth=server
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
index dbd431cc2..089467da4 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,9 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth
+ load = sha1 sha2 md5 aes des hmac gmp random xauth attr kernel-netlink
+ dns1 = 192.168.0.150
+ dns2 = 10.1.0.20
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
index 42fa8359b..f90d222b5 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
index 48015ad4c..da1a10513 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthpsk
conn home
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth
+ load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
index baa85e32c..3a4b75af6 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthpsk
conn home
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth
+ load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
index c92ad8748..850ea561b 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthpsk
xauth=server
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth
+ load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
index 32b1227bb..be62c2b8f 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
conn home
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
index 090deac77..c09fb3c2c 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
conn home
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
index f79a81a6f..251041443 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
xauth=server
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
index 684ace0d3..1c7d7002e 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthpsk
conn home
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth
+ load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
index 14307a7f0..782c160c9 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthpsk
conn home
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth
+ load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
index a4e01b564..595e6588c 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthpsk
xauth=server
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
index dbd431cc2..c9eb0bc97 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random xauth
+ load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
index 47bf1dafc..186d8e121 100755
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
conn home
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
index f79a81a6f..251041443 100755
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
xauth=server
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
index 47928181f..ca2df4b28 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
conn home
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
index 8c8cb4a2d..079c6b0d5 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
conn home
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
index 1c48e13e7..0a65acb5d 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
index 42fa8359b..f90d222b5 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
index 1e21fbb97..fc86bab41 100755
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
conn home
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
index 94cc6819d..e2709cdf1 100755
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
xauth=server
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
index 47bf1dafc..186d8e121 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
conn home
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
index 1fcf71d5c..478e732ae 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
conn home
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
index f79a81a6f..251041443 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=xauthrsasig
xauth=server
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
index 556f76c74..de1cbb134 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/ikev2/alg-3des-md5/test.conf b/testing/tests/ikev2/alg-3des-md5/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-3des-md5/test.conf
+++ b/testing/tests/ikev2/alg-3des-md5/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev2/alg-aes-ccm/description.txt b/testing/tests/ikev2/alg-aes-ccm/description.txt
new file mode 100644
index 000000000..28e38ca7f
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ccm/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_CCM_12_128</b> both for IKE and ESP by defining <b>ike=aes128ccm12-aesxcbc-modp2048</b>
+(or alternatively <b>aes128ccm96</b>) and <b>esp=aes128ccm12-modp2048</b> in ipsec.conf, respectively.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
index f7959d129..0834a8db0 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
@@ -1,9 +1,11 @@
moon::ipsec statusall::rw.*INSTALLED::YES
carol::ipsec statusall::home.*INSTALLED::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CCM_12_128::YES
-carol::ipsec statusall::AES_CCM_12_128::YES
-carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon::ipsec statusall::IKE proposal: AES_CCM_12_128::YES
+carol::ipsec statusall::IKE proposal: AES_CCM_12_128::YES
+moon::ipsec statusall::AES_CCM_12_128,::YES
+carol::ipsec statusall::AES_CCM_12_128,::YES
moon::ip xfrm state::aead rfc4309(ccm(aes))::YES
+carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
index 85c825002..6bcfbc28d 100755
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-aesxcbc-modp2048!
+ ike=aes128ccm96-aesxcbc-modp2048!
esp=aes128ccm96-modp2048!
conn home
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
index 339b56987..db2c09bae 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
index 8f8404516..1d6f13861 100755
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-aesxcbc-modp2048!
+ ike=aes128ccm12-aesxcbc-modp2048!
esp=aes128ccm12-modp2048!
conn rw
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
index 339b56987..db2c09bae 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
index 94a400606..94a400606 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
index f360351e1..f360351e1 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/test.conf b/testing/tests/ikev2/alg-aes-ccm/test.conf
index acb73b06f..acb73b06f 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/test.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/test.conf
diff --git a/testing/tests/ikev2/alg-aes-ctr/description.txt b/testing/tests/ikev2/alg-aes-ctr/description.txt
new file mode 100644
index 000000000..edb601b61
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-ctr/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_CTR_128</b> both for IKE and ESP by defining <b>ike=aes128ctr-aesxcbc-modp2048</b>
+and <b>esp=aes128ctr-aesxcbc-modp2048</b> in ipsec.conf, respectively.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
index 6b5d0ba0b..522ce6088 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
@@ -1,8 +1,10 @@
moon::ipsec statusall::rw.*INSTALLED::YES
carol::ipsec statusall::home.*INSTALLED::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES
-carol::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES
+moon::ipsec statusall::IKE proposal: AES_CTR_128::YES
+carol::ipsec statusall::IKE proposal: AES_CTR_128::YES
+moon::ipsec statusall::AES_CTR_128/AES_XCBC_96,::YES
+carol::ipsec statusall::AES_CTR_128/AES_XCBC_96,::YES
moon::ip xfrm state::rfc3686(ctr(aes))::YES
carol::ip xfrm state::rfc3686(ctr(aes))::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
index 02ca66b75..70c482835 100755
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-aesxcbc-modp2048!
+ ike=aes128ctr-aesxcbc-modp2048!
esp=aes128ctr-aesxcbc-modp2048!
conn home
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
index 339b56987..be46d6d3e 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
index 1c19714b9..bf103742f 100755
--- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-aesxcbc-modp2048!
+ ike=aes128ctr-aesxcbc-modp2048!
esp=aes128ctr-aesxcbc-modp2048!
conn rw
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
index 339b56987..be46d6d3e 100644
--- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
index 94a400606..94a400606 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
index f360351e1..f360351e1 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/test.conf b/testing/tests/ikev2/alg-aes-ctr/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/esp-alg-aes-ctr/test.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev2/alg-aes-gcm/description.txt b/testing/tests/ikev2/alg-aes-gcm/description.txt
new file mode 100644
index 000000000..2afcecd68
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/description.txt
@@ -0,0 +1,5 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-aesxcbc-modp2048</b>
+(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-modp2048</b> in ipsec.conf,
+respectively.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
index 7434cc156..9cd3e8e15 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
@@ -1,9 +1,11 @@
moon::ipsec statusall::rw.*INSTALLED::YES
carol::ipsec statusall::home.*INSTALLED::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_GCM_16_256::YES
-carol::ipsec statusall::AES_GCM_16_256::YES
-carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon::ipsec statusall::IKE proposal: AES_GCM_16_256::YES
+carol::ipsec statusall::IKE proposal: AES_GCM_16_256::YES
+moon::ipsec statusall::AES_GCM_16_256,::YES
+carol::ipsec statusall::AES_GCM_16_256,::YES
moon::ip xfrm state::aead rfc4106(gcm(aes))::YES
+carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
index df2b7437d..e3f19aff8 100755
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes256-aesxcbc-modp2048!
+ ike=aes256gcm128-aesxcbc-modp2048!
esp=aes256gcm128-modp2048!
conn home
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..7fe7619f1
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
index 661681105..0d51a3ea8 100755
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -11,7 +11,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes256-aesxcbc-modp2048!
+ ike=aes256gcm16-aesxcbc-modp2048!
esp=aes256gcm16-modp2048!
conn rw
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7fe7619f1
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
index 94a400606..94a400606 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
index f360351e1..f360351e1 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
diff --git a/testing/tests/ikev2/alg-aes-gcm/test.conf b/testing/tests/ikev2/alg-aes-gcm/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev2/alg-aes-gcm/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-xcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/test.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev2/alg-sha256-96/test.conf b/testing/tests/ikev2/alg-sha256-96/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-sha256-96/test.conf
+++ b/testing/tests/ikev2/alg-sha256-96/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev2/alg-sha256/test.conf b/testing/tests/ikev2/alg-sha256/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-sha256/test.conf
+++ b/testing/tests/ikev2/alg-sha256/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev2/alg-sha384/test.conf b/testing/tests/ikev2/alg-sha384/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-sha384/test.conf
+++ b/testing/tests/ikev2/alg-sha384/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev2/alg-sha512/test.conf b/testing/tests/ikev2/alg-sha512/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/alg-sha512/test.conf
+++ b/testing/tests/ikev2/alg-sha512/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev2/compress/test.conf b/testing/tests/ikev2/compress/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/ikev2/compress/test.conf
+++ b/testing/tests/ikev2/compress/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev2/dpd-hold/test.conf b/testing/tests/ikev2/dpd-hold/test.conf
index 2b240d895..5442565f8 100644
--- a/testing/tests/ikev2/dpd-hold/test.conf
+++ b/testing/tests/ikev2/dpd-hold/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
deleted file mode 100644
index 9fe03b010..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CCM_12_128</b> by defining <b>esp=aes128ccm12-modp2048</b> or alternatively
-<b>esp=aes128ccm96-modp2048</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/description.txt b/testing/tests/ikev2/esp-alg-aes-ctr/description.txt
deleted file mode 100644
index 6443a348f..000000000
--- a/testing/tests/ikev2/esp-alg-aes-ctr/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CTR_128 / AES_XCBC_96</b> by defining <b>esp=aes128ctr-aesxcbc-modp2048</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
deleted file mode 100644
index bd9521e0d..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_GCM_16_256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively
-<b>esp=aes256gcm128-modp2048</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev2/esp-alg-null/test.conf b/testing/tests/ikev2/esp-alg-null/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/ikev2/esp-alg-null/test.conf
+++ b/testing/tests/ikev2/esp-alg-null/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat
index 1c955057a..5b88b2163 100644
--- a/testing/tests/ikev2/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-db/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev2/ip-pool-wish/posttest.dat
index 7cebd7f25..1777f439f 100644
--- a/testing/tests/ikev2/ip-pool-wish/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat
index 7cebd7f25..1777f439f 100644
--- a/testing/tests/ikev2/ip-pool/posttest.dat
+++ b/testing/tests/ikev2/ip-pool/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-split-pools-db/posttest.dat b/testing/tests/ikev2/ip-split-pools-db/posttest.dat
index 32b445090..9d88281ad 100644
--- a/testing/tests/ikev2/ip-split-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-split-pools-db/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
moon::ipsec pool --del pool0 2> /dev/null
moon::ipsec pool --del pool1 2> /dev/null
moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
index 83052889c..7b0393ebd 100644
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -1,8 +1,8 @@
alice::ipsec stop
venus::ipsec stop
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
alice::/etc/init.d/iptables stop 2> /dev/null
venus::/etc/init.d/iptables stop 2> /dev/null
moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat
index f849b7e1a..f41bb0fbc 100644
--- a/testing/tests/ikev2/ip-two-pools/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools/posttest.dat
@@ -1,6 +1,6 @@
alice::ipsec stop
-moon::ipsec stop
carol::ipsec stop
+moon::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
alice::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
index d64b3da7d..897db40ed 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -13,7 +13,7 @@ moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RS
dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
-moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES
moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES
moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO
dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
index 442233f32..0d22e684d 100755
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
@@ -124,7 +124,7 @@
# PLUTO_MARK_OUT
# is an optional XFRM mark set on the outbound IPsec SA
#
-# PLUTO_ESP_ENC
+# PLUTO_UDP_ENC
# contains the remote UDP port in the case of ESP_IN_UDP
# encapsulation
#
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
index d7b68956c..c64158a2f 100755
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -124,7 +124,7 @@
# PLUTO_MARK_OUT
# is an optional XFRM mark set on the outbound IPsec SA
#
-# PLUTO_ESP_ENC
+# PLUTO_UDP_ENC
# contains the remote UDP port in the case of ESP_IN_UDP
# encapsulation
#
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
index a0a045ce8..77d3d45e5 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,7 +1,7 @@
moon::cat /var/log/daemon.log::requesting ocsp status from::YES
moon::cat /var/log/daemon.log::ocsp response verification failed::YES
moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
index 2e0f059c6..6a253d830 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -1,7 +1,7 @@
moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES
moon::cat /var/log/daemon.log::libcurl http request failed::YES
moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least SKIPPED::YES
moon::ipsec status::ESTABLISHED.*carol::YES
moon::ipsec status::ESTABLISHED.*dave::NO
carol::ipsec status::ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
index 45c6ce7c5..44945bf5f 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::cat /var/log/daemon.log::requesting ocsp status from::YES
moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
moon::cat /var/log/daemon.log::ocsp response verification failed::YES
moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD::YES
moon::ipsec status::rw.*ESTABLISHED::NO
carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 6d762c970..bbb5a76fd 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
}
libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 6d762c970..bbb5a76fd 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
}
libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 6d762c970..bbb5a76fd 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
}
libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
index 9c3702cb7..2de32a6f2 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
@@ -1,29 +1,11 @@
authorize {
- preprocess
- chap
- mschap
- suffix
eap {
ok = return
}
- unix
files
- expiration
- logintime
- pap
}
authenticate {
- Auth-Type PAP {
- pap
- }
- Auth-Type CHAP {
- chap
- }
- Auth-Type MS-CHAP {
- mschap
- }
- unix
eap
}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
index 3508e9d8c..280d62e3c 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -1,9 +1,5 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/users
alice::/etc/init.d/radiusd start
moon::ipsec start
carol::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
index 2bd21499b..e0d77b583 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
@@ -19,3 +19,8 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
index 9c3702cb7..802fcfd8d 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
@@ -1,29 +1,12 @@
authorize {
- preprocess
- chap
- mschap
suffix
eap {
ok = return
}
- unix
files
- expiration
- logintime
- pap
}
authenticate {
- Auth-Type PAP {
- pap
- }
- Auth-Type CHAP {
- chap
- }
- Auth-Type MS-CHAP {
- mschap
- }
- unix
eap
}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
index 3508e9d8c..280d62e3c 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -1,9 +1,5 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/users
alice::/etc/init.d/radiusd start
moon::ipsec start
carol::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
index 2bd21499b..e0d77b583 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
@@ -19,3 +19,8 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
index dfceb037d..92896b11e 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
@@ -1,30 +1,11 @@
authorize {
- preprocess
- chap
- mschap
sim_files
- suffix
eap {
ok = return
}
- unix
- files
- expiration
- logintime
- pap
}
authenticate {
- Auth-Type PAP {
- pap
- }
- Auth-Type CHAP {
- chap
- }
- Auth-Type MS-CHAP {
- mschap
- }
- unix
eap
}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
index 0a9f41856..0da980c07 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -1,8 +1,5 @@
moon::/etc/init.d/iptables start 2> /dev/null
carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
alice::cat /etc/raddb/triplets.dat
alice::/etc/init.d/radiusd start
moon::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
index 2bd21499b..e0d77b583 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
@@ -19,3 +19,8 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
index ff3e67459..852d424af 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
@@ -7,7 +7,7 @@ carol::ipsec statusall::home.*ESTABLISHED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
index dfceb037d..126d61d05 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
@@ -1,30 +1,12 @@
authorize {
- preprocess
- chap
- mschap
sim_files
suffix
eap {
ok = return
}
- unix
- files
- expiration
- logintime
- pap
}
authenticate {
- Auth-Type PAP {
- pap
- }
- Auth-Type CHAP {
- chap
- }
- Auth-Type MS-CHAP {
- mschap
- }
- unix
eap
}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
index 9f82ffa2f..e468cd4f9 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,4 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
- send_vendor_id = yes
}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
index 9f82ffa2f..e468cd4f9 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,4 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
- send_vendor_id = yes
}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
index 8250ae1ab..f21745bcd 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -2,7 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
- send_vendor_id = yes
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 6a30756b7..5a51733dc 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -4,9 +4,6 @@ dave::/etc/init.d/iptables start 2> /dev/null
moon::rm /etc/ipsec.d/cacerts/*
carol::rm /etc/ipsec.d/cacerts/*
dave::rm /etc/ipsec.d/cacerts/*
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
alice::cat /etc/raddb/triplets.dat
alice::/etc/init.d/radiusd start
moon::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
index 70416826e..bb6b68687 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
@@ -19,3 +19,8 @@ TCPDUMPHOSTS="moon"
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index 5fae7ecd5..b4d66adc6 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -7,7 +7,7 @@ carol::ipsec statusall::home.*ESTABLISHED::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/description.txt b/testing/tests/ikev2/rw-eap-tls-fragments/description.txt
new file mode 100644
index 000000000..f6a5f1c7b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
+(without a separate IKEv2 authentication), using TLS client and server certificates,
+respectively. Large certificates and a multi-level trust hierarchy with a path length
+of 3 force a fragmentation of the TLS handshake message into two TLS records.
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
new file mode 100644
index 000000000..f4d534051
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.d.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..889a47d80
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carol_D_cert.der
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid="C=CH, O=strongSwan Project, CN=moon.d.strongswan.org"
+ rightsubnet=10.1.0.0/16
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der
new file mode 100644
index 000000000..43984fd2b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/cacerts/ca_A_cert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der
new file mode 100644
index 000000000..1b3748ba5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/certs/carol_D_cert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der
new file mode 100644
index 000000000..bebee462d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.d/private/carol_key.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..a1a643655
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carol_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc0bcdff5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default eap-tls updown
+ multiple_authentication=no
+
+ plugins {
+ eap-tls {
+ max_message_count = 40
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..9f979e17b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moon_D_cert.der
+ leftauth=eap-tls
+ leftfirewall=yes
+ rightauth=eap-tls
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der
new file mode 100644
index 000000000..43984fd2b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_A_cert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der
new file mode 100644
index 000000000..4f42bb29a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_B_cert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der
new file mode 100644
index 000000000..dda5a5b1c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_C_cert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der
new file mode 100644
index 000000000..6f59b569e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/cacerts/ca_D_cert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der
new file mode 100644
index 000000000..8d7a0a774
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/certs/moon_D_cert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der
new file mode 100644
index 000000000..cbd7b0dc7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_A_key.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der
new file mode 100644
index 000000000..9b1da0ea8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_B_key.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der
new file mode 100644
index 000000000..ba08fc3c5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_C_key.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der
new file mode 100644
index 000000000..9fb1ba0f8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/ca_D_key.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der
new file mode 100644
index 000000000..88c478c35
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.d/private/moon_key.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e02427b6b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moon_key.der
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc0bcdff5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default eap-tls updown
+ multiple_authentication=no
+
+ plugins {
+ eap-tls {
+ max_message_count = 40
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
new file mode 100644
index 000000000..085b19509
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
new file mode 100644
index 000000000..35d35dc86
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
@@ -0,0 +1,9 @@
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/test.conf b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
index acb73b06f..2bd21499b 100644
--- a/testing/tests/ikev2/esp-alg-aes-gcm/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice carol moon"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/ikev2/rw-eap-tls-only/description.txt b/testing/tests/ikev2/rw-eap-tls-only/description.txt
new file mode 100644
index 000000000..b3e0450a4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/description.txt
@@ -0,0 +1,4 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
+(without a separate IKEv2 authentication), using TLS client and server certificates,
+respectively.
diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
new file mode 100644
index 000000000..1e9bdb2af
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3aeab002f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ rightsubnet=10.1.0.0/16
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5fe84aea3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..430211020
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftauth=eap-tls
+ leftfirewall=yes
+ rightauth=eap-tls
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5fe84aea3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
new file mode 100644
index 000000000..ed5498bfe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-only/test.conf b/testing/tests/ikev2/rw-eap-tls-only/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/description.txt b/testing/tests/ikev2/rw-eap-tls-radius/description.txt
new file mode 100644
index 000000000..842a88c42
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> then uses a mutual <b>EAP-TLS</b> authentication based
+on X.509 certificates with the remote AAA RADIUS server <b>alice</b>.
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
new file mode 100644
index 000000000..f0a674063
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
@@ -0,0 +1,11 @@
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+ secret = gv6URkSs
+ shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..92f96ad66
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,13 @@
+eap {
+ default_eap_type = tls
+ tls {
+ certdir = /etc/raddb/certs
+ cadir = /etc/raddb/certs
+ private_key_file = /etc/raddb/certs/aaaKey.pem
+ certificate_file = /etc/raddb/certs/aaaCert.pem
+ CA_file = /etc/raddb/certs/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = /etc/raddb/certs/dh
+ random_file = /etc/raddb/certs/random
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf -- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+# name of the running server. See also the "-n" command-line option.
+name = radiusd
+
+# Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+# pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+# max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+# cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+# max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+# listen: Make the server listen on a particular IP address, and send
+listen {
+ type = auth
+ ipaddr = PH_IP_ALICE
+ port = 0
+}
+
+# This second "listen" section is for listening on the accounting
+# port, too.
+#
+listen {
+ type = acct
+ ipaddr = PH_IP_ALICE
+ port = 0
+}
+
+# hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+# Core dumps are a bad thing. This should only be set to 'yes'
+allow_core_dumps = no
+
+# Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+# Logging section. The various "log_*" configuration items
+log {
+ destination = files
+ file = ${logdir}/radius.log
+ syslog_facility = daemon
+ stripped_names = no
+ auth = yes
+ auth_badpass = yes
+ auth_goodpass = yes
+}
+
+# The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+# Security considerations
+security {
+ max_attributes = 200
+ reject_delay = 1
+ status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+ max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+ $INCLUDE ${confdir}/modules/
+ $INCLUDE eap.conf
+ $INCLUDE sql.conf
+ $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+ exec
+ expr
+ expiration
+ logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..990184919
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+ eap {
+ ok = return
+ }
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1 @@
+carol Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..4f4c8abcf
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5fe84aea3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # enable IP forwarding
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow esp
+ iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow MobIKE
+ iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+ # allow crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow RADIUS protocol with alice
+ iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+ iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..be907f839
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftauth=pubkey
+ leftfirewall=yes
+ rightid="C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org"
+ rightauth=eap-radius
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d2d3058d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+ multiple_authentication=no
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
new file mode 100644
index 000000000..920d6a20d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
new file mode 100644
index 000000000..280d62e3c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/radiusd start
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/test.conf b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
new file mode 100644
index 000000000..e0d77b583
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-block/description.txt
new file mode 100644
index 000000000..51423177a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements
+<b>carol</b> is authenticated successfully and is granted access to the subnet behind
+<b>moon</b> whereas <b>dave</b> fails the layered EAP authentication and is rejected.
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat
new file mode 100644
index 000000000..2304df23e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c19192dae
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7d5ea8b83
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..621e94f0e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+none
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..6747b4a4a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f8700d3c5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+ multiple_authentication=no
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ phase2_piggyback = yes
+ phase2_tnc = yes
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..ac436a344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-block/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-block/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt
new file mode 100644
index 000000000..350aefc60
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements <b>carol</b>
+is authenticated successfully and is granted access to the subnet behind <b>moon</b> whereas
+<b>dave</b> fails the layered EAP authentication and is rejected.
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat
new file mode 100644
index 000000000..517ea9ab2
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat
@@ -0,0 +1,14 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+ secret = gv6URkSs
+ shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary
new file mode 100644
index 000000000..1a27a02fc
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary
@@ -0,0 +1,2 @@
+$INCLUDE /usr/share/freeradius/dictionary
+$INCLUDE /etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc
new file mode 100644
index 000000000..f295467a9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc
@@ -0,0 +1,5 @@
+ATTRIBUTE TNC-Status 3001 integer
+
+VALUE TNC-Status Access 0
+VALUE TNC-Status Isolate 1
+VALUE TNC-Status None 2
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,25 @@
+eap {
+ md5 {
+ }
+ default_eap_type = ttls
+ tls {
+ private_key_file = /etc/raddb/certs/aaaKey.pem
+ certificate_file = /etc/raddb/certs/aaaCert.pem
+ CA_file = /etc/raddb/certs/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = /etc/raddb/certs/dh
+ random_file = /etc/raddb/certs/random
+ }
+ ttls {
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ tnc_virtual_server = "inner-tunnel-second"
+ }
+}
+
+eap eap_tnc {
+ default_eap_type = tnc
+ tnc {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf -- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+# name of the running server. See also the "-n" command-line option.
+name = radiusd
+
+# Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+# pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+# max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+# cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+# max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+# listen: Make the server listen on a particular IP address, and send
+listen {
+ type = auth
+ ipaddr = PH_IP_ALICE
+ port = 0
+}
+
+# This second "listen" section is for listening on the accounting
+# port, too.
+#
+listen {
+ type = acct
+ ipaddr = PH_IP_ALICE
+ port = 0
+}
+
+# hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+# Core dumps are a bad thing. This should only be set to 'yes'
+allow_core_dumps = no
+
+# Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+# Logging section. The various "log_*" configuration items
+log {
+ destination = files
+ file = ${logdir}/radius.log
+ syslog_facility = daemon
+ stripped_names = no
+ auth = yes
+ auth_badpass = yes
+ auth_goodpass = yes
+}
+
+# The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+# Security considerations
+security {
+ max_attributes = 200
+ reject_delay = 1
+ status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+ max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+ $INCLUDE ${confdir}/modules/
+ $INCLUDE eap.conf
+ $INCLUDE sql.conf
+ $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+ exec
+ expr
+ expiration
+ logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..802fcfd8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,44 @@
+authorize {
+ suffix
+ eap {
+ ok = return
+ }
+ files
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+ suffix
+ eap {
+ ok = return
+ }
+ files
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..2d4961288
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
@@ -0,0 +1,23 @@
+server inner-tunnel-second {
+
+authorize {
+ eap_tnc {
+ ok = return
+ }
+}
+
+authenticate {
+ eap_tnc
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users
@@ -0,0 +1,2 @@
+carol Cleartext-Password := "Ar3etTnp"
+dave Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..a9509a716
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for TNC@FHH-TNC-Server
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9cf2b43c4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..998e6c2e5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..621e94f0e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+none
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # enable IP forwarding
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow esp
+ iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow MobIKE
+ iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+ # allow crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow RADIUS protocol with alice
+ iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+ iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fc8f84638
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=pubkey
+ leftfirewall=yes
+ rightauth=eap-radius
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d2d3058d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+ multiple_authentication=no
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat
new file mode 100644
index 000000000..132752119
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat
new file mode 100644
index 000000000..dc7d5934e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
+alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+alice::/etc/init.d/radiusd start
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf
new file mode 100644
index 000000000..bb6b68687
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius/description.txt
new file mode 100644
index 000000000..7eebd3d4d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat
new file mode 100644
index 000000000..d0ea22ba9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+ secret = gv6URkSs
+ shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary
new file mode 100644
index 000000000..1a27a02fc
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary
@@ -0,0 +1,2 @@
+$INCLUDE /usr/share/freeradius/dictionary
+$INCLUDE /etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc
new file mode 100644
index 000000000..f295467a9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc
@@ -0,0 +1,5 @@
+ATTRIBUTE TNC-Status 3001 integer
+
+VALUE TNC-Status Access 0
+VALUE TNC-Status Isolate 1
+VALUE TNC-Status None 2
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,25 @@
+eap {
+ md5 {
+ }
+ default_eap_type = ttls
+ tls {
+ private_key_file = /etc/raddb/certs/aaaKey.pem
+ certificate_file = /etc/raddb/certs/aaaCert.pem
+ CA_file = /etc/raddb/certs/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = /etc/raddb/certs/dh
+ random_file = /etc/raddb/certs/random
+ }
+ ttls {
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ tnc_virtual_server = "inner-tunnel-second"
+ }
+}
+
+eap eap_tnc {
+ default_eap_type = tnc
+ tnc {
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf -- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+# name of the running server. See also the "-n" command-line option.
+name = radiusd
+
+# Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+# pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+# max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+# cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+# max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+# listen: Make the server listen on a particular IP address, and send
+listen {
+ type = auth
+ ipaddr = PH_IP_ALICE
+ port = 0
+}
+
+# This second "listen" section is for listening on the accounting
+# port, too.
+#
+listen {
+ type = acct
+ ipaddr = PH_IP_ALICE
+ port = 0
+}
+
+# hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+# Core dumps are a bad thing. This should only be set to 'yes'
+allow_core_dumps = no
+
+# Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+# Logging section. The various "log_*" configuration items
+log {
+ destination = files
+ file = ${logdir}/radius.log
+ syslog_facility = daemon
+ stripped_names = no
+ auth = yes
+ auth_badpass = yes
+ auth_goodpass = yes
+}
+
+# The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+# Security considerations
+security {
+ max_attributes = 200
+ reject_delay = 1
+ status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+ max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+ $INCLUDE ${confdir}/modules/
+ $INCLUDE eap.conf
+ $INCLUDE sql.conf
+ $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+ exec
+ expr
+ expiration
+ logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..802fcfd8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,44 @@
+authorize {
+ suffix
+ eap {
+ ok = return
+ }
+ files
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+ suffix
+ eap {
+ ok = return
+ }
+ files
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..f91bccc72
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
@@ -0,0 +1,36 @@
+server inner-tunnel-second {
+
+authorize {
+ eap_tnc {
+ ok = return
+ }
+}
+
+authenticate {
+ eap_tnc
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ if (control:TNC-Status == "Access") {
+ update reply {
+ Tunnel-Type := ESP
+ Filter-Id := "allow"
+ }
+ }
+ elsif (control:TNC-Status == "Isolate") {
+ update reply {
+ Tunnel-Type := ESP
+ Filter-Id := "isolate"
+ }
+ }
+
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1,2 @@
+carol Cleartext-Password := "Ar3etTnp"
+dave Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..a9509a716
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for TNC@FHH-TNC-Server
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9cf2b43c4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..998e6c2e5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate \ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # enable IP forwarding
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow esp
+ iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow MobIKE
+ iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+ # allow crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow RADIUS protocol with alice
+ iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+ iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..33dcdcfb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,35 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-allow
+ rightgroups=allow
+ leftsubnet=10.1.0.0/28
+ also=rw-eap
+ auto=add
+
+conn rw-isolate
+ rightgroups=isolate
+ leftsubnet=10.1.0.16/28
+ also=rw-eap
+ auto=add
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=pubkey
+ leftfirewall=yes
+ rightauth=eap-radius
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f4e456bbe
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+ multiple_authentication=no
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ filter_id = yes
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
new file mode 100644
index 000000000..132752119
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
new file mode 100644
index 000000000..8dd865819
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
@@ -0,0 +1,18 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
+alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+alice::/etc/init.d/radiusd start
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf
new file mode 100644
index 000000000..2a52df203
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-tls/description.txt
new file mode 100644
index 000000000..762b839ee
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>,
+bothe ends doing certificate-based EAP-TLS authentication only.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat
new file mode 100644
index 000000000..cebfff25f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..1b6274215
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..54c06b12e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate \ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50514c99f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-allow
+ rightgroups=allow
+ leftsubnet=10.1.0.0/28
+ also=rw-eap
+ auto=add
+
+conn rw-isolate
+ rightgroups=isolate
+ leftsubnet=10.1.0.16/28
+ also=rw-eap
+ auto=add
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8898a63ba
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+ multiple_authentication=no
+ plugins {
+ eap-ttls {
+ request_peer_auth = yes
+ phase2_piggyback = yes
+ phase2_tnc = yes
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..ac436a344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-tls/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-tls/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc/description.txt b/testing/tests/ikev2/rw-eap-tnc/description.txt
new file mode 100644
index 000000000..4b4808c94
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
+
diff --git a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc/evaltest.dat
new file mode 100644
index 000000000..a02755148
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c19192dae
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..f5da834c0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+allow
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7d5ea8b83
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c12143cb1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file
new file mode 100644
index 000000000..c20b5e57f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file
@@ -0,0 +1 @@
+isolate \ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..50514c99f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+ charondebug="tls 2, tnc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-allow
+ rightgroups=allow
+ leftsubnet=10.1.0.0/28
+ also=rw-eap
+ auto=add
+
+conn rw-isolate
+ rightgroups=isolate
+ leftsubnet=10.1.0.16/28
+ also=rw-eap
+ auto=add
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f8700d3c5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+ multiple_authentication=no
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ phase2_piggyback = yes
+ phase2_tnc = yes
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..ac436a344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan server
+
+IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc/posttest.dat b/testing/tests/ikev2/rw-eap-tnc/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc/pretest.dat b/testing/tests/ikev2/rw-eap-tnc/pretest.dat
new file mode 100644
index 000000000..ce897d181
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/pretest.dat
@@ -0,0 +1,15 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc/test.conf b/testing/tests/ikev2/rw-eap-tnc/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/description.txt b/testing/tests/ikev2/rw-eap-ttls-only/description.txt
new file mode 100644
index 000000000..3d4c3ab87
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
+<p/>
+With the default setting <b>charon.plugins.eap-ttls.phase2_piggyback = no</b> the server
+<b>moon</b> passively waits for the clients to initiate phase2 of the EAP-TTLS protocol by
+sending a tunneled orphan EAP Identity response upon the reception of the server's TLS
+Finished message. Client <b>carol</b> presents the correct MD5 password and succeeds
+whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
new file mode 100644
index 000000000..9586fe558
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon::cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..967598643
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ rightsubnet=10.1.0.0/16
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ad1255212
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ rightsubnet=10.1.0.0/16
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d5631a9f5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d37848bac
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8cdcb640c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ multiple_authentication=no
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
new file mode 100644
index 000000000..369596177
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/test.conf b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt
new file mode 100644
index 000000000..d5f0b267a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The strong mutual authentication is based on <b>EAP-TTLS</b> only (without a separate IKEv2
+authentication) with the gateway being authenticated by a server certificate during the
+EAP-TLS tunnel setup (phase1 of EAP-TTLS). This tunnel protects the ensuing weak client
+authentication based on <b>EAP-MD5</b> (phase2 of EAP-TTLS).
+<p/>
+With the setting <b>charon.plugins.eap-ttls.phase2_piggyback = yes</b> the server <b>moon</b>
+initiates phase2 of the EAP-TTLS protocol by piggybacking a tunneled EAP Identity request
+right onto the TLS Finished message. Client <b>carol</b> presents the correct MD5 password
+and succeeds whereas client <b>dave</b> chooses the wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
new file mode 100644
index 000000000..9586fe558
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon::cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..967598643
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ rightsubnet=10.1.0.0/16
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ad1255212
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+ rightsubnet=10.1.0.0/16
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d5631a9f5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..d37848bac
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..b065251ea
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ multiple_authentication=no
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ phase2_piggyback = yes
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
new file mode 100644
index 000000000..369596177
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/description.txt b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt
new file mode 100644
index 000000000..299106b32
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
+the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+<b>carol</b> presents the correct MD5 password and succeeds whereas <b>dave</b> chooses the
+wrong password and fails.
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
new file mode 100644
index 000000000..2c0f65159
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@@ -0,0 +1,21 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+ secret = gv6URkSs
+ shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..c91cd40fb
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,18 @@
+eap {
+ md5 {
+ }
+ default_eap_type = ttls
+ tls {
+ private_key_file = /etc/raddb/certs/aaaKey.pem
+ certificate_file = /etc/raddb/certs/aaaCert.pem
+ CA_file = /etc/raddb/certs/strongswanCert.pem
+ cipher_list = "DEFAULT"
+ dh_file = /etc/raddb/certs/dh
+ random_file = /etc/raddb/certs/random
+ }
+ ttls {
+ default_eap_type = md5
+ use_tunneled_reply = yes
+ virtual_server = "inner-tunnel"
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+ type = radius
+ authhost = LOCAL
+ accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf -- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+# name of the running server. See also the "-n" command-line option.
+name = radiusd
+
+# Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+# pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+# max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+# cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+# max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+# listen: Make the server listen on a particular IP address, and send
+listen {
+ type = auth
+ ipaddr = PH_IP_ALICE
+ port = 0
+}
+
+# This second "listen" section is for listening on the accounting
+# port, too.
+#
+listen {
+ type = acct
+ ipaddr = PH_IP_ALICE
+ port = 0
+}
+
+# hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+# Core dumps are a bad thing. This should only be set to 'yes'
+allow_core_dumps = no
+
+# Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+# Logging section. The various "log_*" configuration items
+log {
+ destination = files
+ file = ${logdir}/radius.log
+ syslog_facility = daemon
+ stripped_names = no
+ auth = yes
+ auth_badpass = yes
+ auth_goodpass = yes
+}
+
+# The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+# Security considerations
+security {
+ max_attributes = 200
+ reject_delay = 1
+ status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+ start_servers = 5
+ max_servers = 32
+ min_spare_servers = 3
+ max_spare_servers = 10
+ max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+ $INCLUDE ${confdir}/modules/
+ $INCLUDE eap.conf
+ $INCLUDE sql.conf
+ $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+ exec
+ expr
+ expiration
+ logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..802fcfd8d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,44 @@
+authorize {
+ suffix
+ eap {
+ ok = return
+ }
+ files
+}
+
+authenticate {
+ eap
+}
+
+preacct {
+ preprocess
+ acct_unique
+ suffix
+ files
+}
+
+accounting {
+ detail
+ unix
+ radutmp
+ attr_filter.accounting_response
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ exec
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+ suffix
+ eap {
+ ok = return
+ }
+ files
+}
+
+authenticate {
+ eap
+}
+
+session {
+ radutmp
+}
+
+post-auth {
+ Post-Auth-Type REJECT {
+ attr_filter.access_reject
+ }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+ eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
@@ -0,0 +1,2 @@
+carol Cleartext-Password := "Ar3etTnp"
+dave Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..97a2e02c9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..d388060be
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ rightauth=pubkey
+ aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..d5631a9f5
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "UgaM65Va"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..378bdc540
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # enable IP forwarding
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow esp
+ iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow MobIKE
+ iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+ # allow crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow RADIUS protocol with alice
+ iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+ iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fc8f84638
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=pubkey
+ leftfirewall=yes
+ rightauth=eap-radius
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4d2d3058d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+ multiple_authentication=no
+ plugins {
+ eap-radius {
+ secret = gv6URkSs
+ server = PH_IP_ALICE
+ }
+ }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
new file mode 100644
index 000000000..dbe56013a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::/etc/init.d/radiusd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
new file mode 100644
index 000000000..cbe1ae229
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@@ -0,0 +1,11 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/radiusd start
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
new file mode 100644
index 000000000..e6a786a94
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol winnetou dave moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
index 442233f32..0d22e684d 100755
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -124,7 +124,7 @@
# PLUTO_MARK_OUT
# is an optional XFRM mark set on the outbound IPsec SA
#
-# PLUTO_ESP_ENC
+# PLUTO_UDP_ENC
# contains the remote UDP port in the case of ESP_IN_UDP
# encapsulation
#
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
index 2814e881f..9940e81a5 100755
--- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
also=host-host
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
index 4cf027ad5..016adc095 100755
--- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
also=host-host
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
index 84abbb07a..bb96a71e0 100755
--- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
also=host-host
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
index 4cf027ad5..016adc095 100755
--- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn net-net
also=host-host
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
index 4e73b5292..1cfd1eb1f 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
+ load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
}
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
index 825ae1264..1cfd1eb1f 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac
+ load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
}
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
index b27609917..363c910b0 100755
--- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn home
left=PH_IP6_CAROL
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
index 0129ef744..1b5a2aced 100755
--- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn rw
left=PH_IP6_MOON
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
index 5d77c2dd5..76135d1ee 100755
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn home
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
index 78f674026..69b154bcf 100755
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
@@ -9,6 +9,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
authby=secret
conn rw
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
index 8bc0deba8..69ba50530 100755
--- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn host-host
left=PH_IP6_MOON
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
index b68082dd9..a7c6b18c7 100755
--- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
conn host-host
left=PH_IP6_SUN
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
index c226d97d0..982b2fdb2 100755
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=camellia192-sha384-modp3072!
esp=camellia192-sha384!
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 openssl random hmac curl
+ load = pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
index e26d972f0..b6f719256 100755
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -11,6 +11,7 @@ conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
+ keyexchange=ikev1
ike=camellia192-sha384-modp3072!
esp=camellia192-sha384!
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 openssl random hmac curl
+ load = pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf
index fd33cfb57..6abbb89a9 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 openssl random hmac curl
+ load = pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
index 3562ddc67..bdd3f5582 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl
+ load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 openssl random hmac curl
+ load = pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 63892fd33..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 openssl random hmac curl
+ load = pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
index 3562ddc67..bdd3f5582 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl
+ load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 63892fd33..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 openssl random hmac curl
+ load = pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 openssl random hmac curl
+ load = pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
index a96b54446..4c5d53dff 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 pem pkcs1 openssl random hmac curl
+ load = pem pkcs1 pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 4ccc387bd..1ea14c6f2 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = pem pkcs1 openssl random hmac curl
+ load = pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 1029b8536..a8fecbc2f 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = test-vectors pem pkcs1 openssl random hmac curl
+ load = test-vectors pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index 2da706ef7..85164eeb7 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl
+ load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index edc6dbed4..763503e29 100644
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = test-vectors pem pkcs1 openssl random hmac curl
+ load = test-vectors pem pkcs1 openssl random hmac curl kernel-netlink
}
# pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 206f029f3..c78da2c08 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl test-vectors pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+ load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
}
libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 208f1c36d..e483eba9d 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown
+ load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
}
libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 3ae6205cb..848adaf6a 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl test-vectors pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+ load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
}
libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt b/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt
new file mode 100644
index 000000000..e25da6935
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The strong mutual authentication of both peers is based on <b>EAP-TLS</b> only
+(without a separate IKEv2 authentication), using TLS client and server certificates,
+respectively. Elliptic curve cryptography is used by both the IKE and TLS
+protocols.
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
new file mode 100644
index 000000000..dad834ca6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS version TLS 1.2 with suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES
+carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..02ece4738
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-sha256-ecp256!
+ esp=aes128-sha256!
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org"
+ rightsubnet=10.1.0.0/16
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..29709926a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
+4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
+BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
+MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
+sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
+ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
+s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..5f21c1012
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+
+Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
+KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
+RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..4e53ef91a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ed9b8c764
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl pem pkcs1 random openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+ multiple_authentication=no
+}
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2679d4f9b
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+ charondebug="tls 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-sha256-ecp256!
+ esp=aes128-sha256!
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.pem
+ leftauth=eap-tls
+ leftfirewall=yes
+ rightauth=eap-tls
+ rightsendcert=never
+ right=%any
+ auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..5178c7f38
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
+PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
+5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
+BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
+Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
+Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
+j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
+VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
+SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
+l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
+mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
+CI9WpQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..beab0485f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
+yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
+1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
+tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
+pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..46d8e2933
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl pem pkcs1 random openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+ multiple_authentication=no
+}
+
+libtls {
+ key_exchange = ecdhe-ecdsa
+ cipher = aes128
+ mac = sha256
+}
+
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
new file mode 100644
index 000000000..ed5498bfe
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/alg-aes-xcbc/test.conf b/testing/tests/pfkey/alg-aes-xcbc/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/test.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/pfkey/alg-sha384/test.conf b/testing/tests/pfkey/alg-sha384/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/pfkey/alg-sha384/test.conf
+++ b/testing/tests/pfkey/alg-sha384/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/pfkey/alg-sha512/test.conf b/testing/tests/pfkey/alg-sha512/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/pfkey/alg-sha512/test.conf
+++ b/testing/tests/pfkey/alg-sha512/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/pfkey/esp-alg-null/test.conf b/testing/tests/pfkey/esp-alg-null/test.conf
index acb73b06f..9cd583b16 100644
--- a/testing/tests/pfkey/esp-alg-null/test.conf
+++ b/testing/tests/pfkey/esp-alg-null/test.conf
@@ -5,11 +5,11 @@
# All UML instances that are required for this test
#
-UMLHOSTS="moon carol winnetou"
+UMLHOSTS="alice moon carol winnetou"
# Corresponding block diagram
#
-DIAGRAM="m-c-w.png"
+DIAGRAM="a-m-c-w.png"
# UML instances on which tcpdump is to be started
#
diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat
index d4d57ad83..40b1a403e 100644
--- a/testing/tests/sql/ip-pool-db-expired/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat
index d4d57ad83..40b1a403e 100644
--- a/testing/tests/sql/ip-pool-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat
index d4d57ad83..40b1a403e 100644
--- a/testing/tests/sql/ip-pool-db/posttest.dat
+++ b/testing/tests/sql/ip-pool-db/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
moon::/etc/init.d/iptables stop 2> /dev/null
carol::/etc/init.d/iptables stop 2> /dev/null
dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
index 5ff7b9d47..0fce500bf 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
moon::rm /etc/ipsec.d/ipsec.*
carol::rm /etc/ipsec.d/ipsec.*
dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat
index 5ff7b9d47..0fce500bf 100644
--- a/testing/tests/sql/ip-split-pools-db/posttest.dat
+++ b/testing/tests/sql/ip-split-pools-db/posttest.dat
@@ -1,6 +1,6 @@
-moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
+moon::ipsec stop
moon::rm /etc/ipsec.d/ipsec.*
carol::rm /etc/ipsec.d/ipsec.*
dave::rm /etc/ipsec.d/ipsec.*